You may be one of a thousand or more lucky people on the University of
Washington campus who were told you need to change your password
because of a "network sniffer" attack. Since before April 1997, there
have been dozens of sniffer incidents on UW local area networks.

Because these attacks are continuing -- with no end in sight -- it is
important that you, as an Internet user, understand how your passwords
are vulnerable and to take appropriate measures to secure your
computer accounts. Choosing "good" passwords and changing them
frequently is part of the solution and so is knowing when you are
vulnerable to sniffers and how to deal with them.

What is a "sniffer?"

A "sniffer" is a
program that monitors communications on a local area network, or
"LAN".

There are millions of small LANs -- each building on campus where your
computers are connected, for example, has one or more LANs -- that are
in turn connected to bigger networks like the University of
Washington's network, which are in turn connected to even larger
networks. The sum of all these interconnected networks is the "thing"
we call the Internet.

Many of these LANs are made up of shared Ethernet network segments on
which all systems communicate using the same physical medium.
Practically any systems on these shared Ethernet LANs can be turned
into a sniffer that can be used to steal passwords of users connecting
to and from hosts on that LAN.

Sniffers work by monitoring the communication flow on a LAN to find
when someone begins using a network service, such as a terminal
emulator session using "telnet", a file transfer session using "ftp",
or a remote electronic mail session using IMAP or POP services.

All these services are all handled with "protocols" and each protocol,
or service, has its own identifying number. When you connect from one
computer to another computer using a particular service, its like
making a call to a switchboard, where an operator asks what extension
you want and then transfers your call, going back to wait patiently to
accept a new call.

Similar to the diplomatic term, "protocols" are strict rules that
define how a particular session is established, how your account is
identified and authenticated, and how the service is used. It is the
authentication part of these protocols, which occurs at the start of
every session, that the sniffer gathers.

B: That matches the password for "dittrich" that I have stored;
"dittrich" may now transfer files.

...and so on.

How would my password be "sniffed?"

To understand how the sniffer works, lets use an analogy of the LAN as
a hallway in a building, with each room being a computer.

Each room (computer) has a doorway connecting it to the hall (the
network), and there is a person standing in each doorway (a "network
interface") to facilitate communication. A client is a person sitting
in one room, and they will communicate with a server, which is a
person sitting in another room.

The client and server communicate by sending each other postcards
(which are the "packets" of information that travel on a real LAN).
Each postcard has a source address (the client's identification and
room where that postcard is sent FROM) and a destination address (the
room where the postcard is going TO). The server is also identified,
by its service, or protocol, number (FTP, used for file transfer, is
service #21).

To handle just the first part of this protocol (establishing the FTP
connection), someone in room A addresses a postcard to someone in room
B, requesting an FTP session, and the postcard is passed out into the
hallway. Each network interface sees each postcard as it travels down
the hall. If the postcard is not addressed to someone in that room,
the interface ignores the postcard and nobody inside the room sees it.

If, on the other hand, the interface is put into a special mode called
"promiscuous mode", that is like the person standing at the door making
a photocopy of every postcard it sees and passing it into the room to
someone (the sniffer) who asks to see every postcard. They aren't
supposed to do this, but there is nothing to stop them in this
scenario and no way to tell they are doing it (sniffing is a passive
activity, that leaves no trace on the network itself; it does,
however, leave a trace on the computer that is being used as the
sniffer.)

Playing out the protocol for transferring files shown above, but on
postcards this time, the sniffer in room C ends up with a stack of
postcards that look like this:

The sniffer only cares about the first few postcards that start the
session, because this is where all the good information is found. In
this case, the sniffer makes a note in their sniffer log that looks
something like this:

This shows that I made an FTP connection, to an account on computer B
with the name "dittrich" and that my password is "op3nS3sam3". The person
reading the log can also infer that I may also have an account on computer
A (if it is another Unix system and not a single-user PC or Macintosh)
and that the odds are good that I have the same password on that system.

The key is that the sniffer is (a) able to monitor the communication
channel and (b) my password travels the channel in readable form,
often called "clear text."

Who cares if someone steals my password? Its only email. Isn't it?

No, its not only email.

Many people who use the simple email services the UW provides on
computer clusters like Homer and Dante don't realize what they have
access to.

Personal computers that run Windows 95 or the Macintosh operating
system are "single user" systems. There are no "accounts" per se for
more than one person to use, and you certainly can't have two or more
people using a standard Windows 95 PC or Macintosh at the same time
(that is, they are not "multi-tasking" or "multi-user" operating
systems.)

In order to do much of anything with a Windows 95 or Macintosh, you
must be sitting in front of the computer and touching the keyboard.
(Well, that's not entirely true. If you have enabled file sharing,
someone on a remote system can potentially read, alter, or delete
files on your hard disk, even though they are not sitting in front of
your PC. You should be VERY CAREFUL if you turn on file sharing. You
can also install programs that allow remote control of the PC or Mac,
but these are commercial add-on products that are not widely used.)

This "single" vs. "multi" user situation is very different with
operating systems like Unix, or Windows NT. Unix is a multi-user,
multi-tasking operating system. Homer and Dante run Unix as their
operating system. This means you can "log in" to Homer and Dante,
from practically any computer, anywhere, on the Internet. That means
anywhere, literally, in the world!

Not only that, but your account is not the only one there. There are
tens of thousands of other accounts on Homer and Dante. Hundreds, or
even thousands, of people can be using the Homer or Dante clusters at
a given moment.

You may not realize it, but "Homer" and "Dante" are not single systems.
They are clusters, which are made up of dozens of individual computers
with names like "dante01" and "homer32" that all look alike and share
the generic cluster name.

And Homer and Dante are not the only Uniform Access clusters where
you may have accounts. There is the Saul cluster. And the Mead
cluster. And the Becker cluster. In all, you may have access to over
a hundred individual computers, all using the same single password,
and not even know it!

So electronic mail is just one service, out of many, that you access
with your password.

Why would someone want my password?

One of the most powerful things about computers is that you can write
programs to make them do many things.

Some programs are "good" programs. They let you edit files, send
email, or browse the Web. You can also write your own programs (or
compile "public domain" programs written by others) to do homework
assignments, analyze data generated by research experiments, etc.

Other programs are "bad" programs. There are programs that are
designed to deny people services on the Internet by crashing someone's
computer, flooding someone's email inbox, forging email to send
illegal chain letters, breaking in to other computers, etc.

If someone wants to be a "bad guy" and attack someone else, they first
need an account from which to do it. It would be foolish to attack
computers from their own account, since that is easy to trace and they
would get in trouble, maybe even lose the account forever. Instead,
they steal someone else's account and attack from there; Getting
you in trouble, instead of them. The more accounts the
attacker has, the easier it is to hide their real identity and
location. Remember those hundreds of computers you might be able to
use with just one password? This is the primary reason people break
in to systems and install sniffers; to steal as many accounts as they
possibly can, as quickly as they can.

Or maybe they just want to read your email, perhaps to steal credit
card numbers, find out where you live, send embarrassing email out in
your name. Or maybe they want to steal or alter your research data.
Or they just want to steal Internet access by using your password to
get to the UW dial in pool. Free Internet!

So you can see, there are many reasons why you should protect your
account, and you need to learn them and act appropriately. Just like
you learn to lock your car door, and your door at home, and your bike
when you park it on the street.

So how can I protect myself?

You might be thinking that sniffers make the entire
Internet completely insecure and that you shouldn't touch it with a
ten foot keyboard. Not at all.

There are unsafe parts of the Internet, just like there are unsafe
parts of large metropolitan areas in the United States. You just need
to learn where the risk is, when you are at risk, at what to do to be
safer.

Think of your account password like you would your credit card number.
If you are like most people you purchase items in stores, or over the
phone, using your credit card number. That number is visible to
others -- just like your password is visible -- during some
transactions (e.g., When you hand the card to a server in a
restaurant, do you know who sees it or when/if they make a copy? Do
you make sure that the carbon paper is ripped up instead of ending
up in the trash can in the alley out back where anyone can find it?)
If you suspect that someone has your credit card number and may use it,
you call your bank and change the number.

The first thing you must understand is that your password may
be exposed when you use certain network services like
telnet, ftp, rlogin, and POP and IMAP email
sessions. Web browsing can also involve passwords, so it too can risk
exposing password information (although passwords used in web forms
are usually not the same passwords as your email, or Unix "shell",
account).

Next, think about how many times you type your password in a single
work session. If you find have to type your password dozens, or even
hundreds of times per session, you should be looking for ways to
reduce this number (ideally getting to a "single sign on" environment
where you only authenticate yourself once per session).

There are alternatives to telnet and ftp, for example
the Berkeley "r" utilities. [The Berkeley "r" utilities are documented
in Unix man pages. Use the Unix commands man rsh, man
rlogin, man rcp, and man rhosts to see them.]
For terminal sessions, you can use rlogin instead of
telnet. For transferring files, you can use rcp instead
of ftp. There is also a remote shell program called rsh
that lets you start a program running on one or more remote computers
using a single command.

When set up properly, a file named .rhosts in your home
directory on the remote system allows you to connect to that system
without having to type your password. This means no passwords to
sniff, nor can the person sitting next to you watch over your shoulder
you type your password. (One problem is that the Berkeley "r"
utilities suffer a security problem in that they trust computers' and
users' names when determining who is allowed access, which is one
reason they are disabled at some sites.)

Since passwords are sometimes stolen, it is a good idea to change your
password periodically. Some sites actually require you change
passwords every so often (e.g., every 120 days). This limits the
amount of time a stolen password is usable by an attacker.

It is also a good idea to not share your password with anyone. Sharing
accounts makes it hard for you to know where your password is being
used (and exposed) and when you account is being used by the person you
trusted with your password or someone who stole it.

That includes not giving your password to someone who calls you on the
phone claiming to be "C&C Computer Operations" or the "UW Network
Security Officer" and informing you they need to verify some
information about your account to fix some problem or investigate a
system break-in. C&C staff would not -- as a matter
of policy -- ask someone for their password over the phone. This is
called "social
engineering" and is probably the simplest and most effective
method of hacking available. Don't be suckered into it.

You also need to ask yourself, "which networks can I trust, and which
ones can't I trust?" That is a hard question to answer.

It is best to be a bit wary of trusting networks to be secure and to
ask your network provider what precautions they take to secure you
against sniffers. (If they say, "what is a sniffer?", its probably
time to look for a new Internet provider!) If you go on vacation and
use a friend's account in southeast Asia, or an Internet Cafe in
Europe, or even use a friend's dorm room computer at another
University in your home town, are you sure you can trust that
network?

One general statement that can be made is that the cheaper the
network, the more insecure it is. Dividing services up across
multiple systems (called "partitioning") costs more money. Using
bridges or ethernet switches (to subdivide networks and limit what
packets a sniffer can see), scrambling hubs (to prevent sniffers from
being able to read the data portion of packets), or installing
security software, also cost money. Lots of money. This means the
smaller network providers, who need the protection the most, are the
ones that can afford it the least. With more and more companies
jumping onto the Internet, the problem is getting worse, not better.

On the software side, MIT has developed a system called "Kerberos". Kerberos
provides a way to authenticate yourself when using some network
services without exposing your password to sniffers. It also means
you only have to give your password once for every few hours you are
using network services.

Another way of avoiding exposure of your password that is widely
supported on the Internet is to use the "Secure
Shell", or "ssh". Ssh also hides your password, using various
methods of encrypting your password, so it is not visible to sniffers.
A session like the one above, done on postcards using ssh, would look
to a sniffer like a bunch of meaningless garbage:

From this, the attacker can see nothing that is useful in stealing
passwords, or even knowing what kind of communication is occurring.

What else can be done?

Just like many stores and restaurants now use carbon-less receipts to
prevent credit card numbers from winding up in trash cans, your
department or network provider can also do things to secure your
password over at least their LAN. There are network cards that cannot
be put in promiscuous mode, so computers can't be hijacked and turned
into sniffers. There are ethernet switches and special network hubs
that hide or scramble packets that don't belong to a particular
network interface. There are also encryption packages (like Kerberos
and ssh, and also SSL, commonly used for world wide web communication)
that eliminate clear text passwords.

C&C has been installing scrambling hubs in the residence halls for
years. This makes these networks effectively unsniffable. We have
also partitioned the networks that serve the dial-in modem pools, so
they are also unsniffable. The network backbone is made up of only
Ethernet switches and routers, also unsniffable. The risks now are
mostly on those LANs on campus that are poorly funded or lack
sufficient network administration resources.

C&C is working on implementing Kerberos. Using the UW network
will be much more secure with Kerberos, but it may take a long time to
extend Kerberos to all computers you use in your academic department
on campus, to your home computer, or to other institutions outside the
UW where you may have accounts. If you fall back to using "telnet" in
these cases, you right back at risk of sniffing.

We have also installed Ssh on all Uniform Access systems, so you can
start using it today to secure your connections (ask your departmental
network administrators about using ssh). Ssh and Kerberos can work
side by side. They do not inter-operate, but then they are not
mutually exclusive technologies either. When Kerberos is available on
campus, it will be ideal to use it, but when that won't work you
should try to use ssh instead.

If you have to use telnet some time on an untrusted network,
like the vacation scenario where you log on to a UW computer remotely,
you can take advantage of the fact that sniffers only steal the first
few packets of each session and either change your password right
before you log out each time, or at least change it as soon as you get
back to the UW and can use a more trusted network to connect. You
have to remember, though, that you used your account on an untrusted
network.

In an ideal world, many of these things would be handled by the people
who provide you with network service so you don't have to know about
them, but like locks on your car and home, you still need to know at
least a little bit about how and when to use them. Security is never
something you can take entirely for granted.

Why has the Internet been vulnerable to sniffers for so long?

The situation has taken this long to fix for a number of reasons.

Part of the problem is that software companies are fighting their own
battles for market share and trying to bring users fancy new features.
They will say the prefer delivering "user friendly" systems over ones
that come with tight security features, which often make the systems
harder to set up or less convenient to use. (It is often said that
security is inversely proportional to ease of use.) This is the same
logic car manufacturers used in the early 1900s to justify not installing
seat belts in all vehicles sold.

Part of the problem is added cost for ethernet switches, hubs,
interface cards that don't support promiscuous mode, and new software.
If there is barely enough money to buy the cheapest hardware to get a
minimal network up and running, and practically none for skilled
network administrators, its going to be very hard to have a secure
network. With security, you [don't] get what you [don't] pay for.

Part of the problem is incompatibilities -- vendor A software to
vendor B software, and older software to newer software -- between
software products.

Often the priorities for dealing with these problems are set by
"market forces" -- in other words "money"; they don't have enough, or
you won't pay enough -- and software vendors set these priorities in
response to user demand, or the company's perception of user demand.
More people want a new widget in their word processor, or support for
some new sound card or 62X CD-ROM drive, than are asking for
abolishing clear text passwords in network services and other security
features.

One thing is certain. You can be sure that as more of our economic,
academic, and personal lives are lived on ever more interconnected
computer networks, the more responsibility we have to protect our
online assets and our privacy.